TryMellon

Webhooks, audit logs & data privacy

Event-driven webhooks per app, tenant-scoped audit logs, and GDPR user data report and deletion.

Webhooks, audit logs & data privacy

TryMellon provides event-driven webhooks, audit logs, and GDPR-oriented user data report and deletion so you can integrate auth events into your systems and meet data transparency and erasure requirements.

1. Webhooks

Per application you can configure an optional webhook URL in the TryMellon dashboard. When enabled, TryMellon sends HTTP requests to your endpoint for relevant auth events (e.g. user authenticated, registration completed). This allows you to sync user lifecycle or trigger downstream flows without polling.

  • Where to set it: Dashboard → your app → settings → Webhook URL.
  • Auth: Webhook payloads and verification depend on your plan; see the dashboard and API docs for your tenant for the exact contract.

2. Audit logs

Tenant-scoped audit logs record auth and management events. You can:

  • Dashboard: View recent audit activity for your organization.
  • API: Use GET /v1/audit-logs with your Bearer token (OAuth2 client credentials) to list and filter logs programmatically (e.g. by event type, pagination). Useful for compliance, debugging, and SIEM integration.

Logs are retained according to your plan; retention and purge policies are documented in the backend API reference for your deployment.

3. User data report & deletion (GDPR)

To support GDPR (and similar) data subject rights:

  • User data report (transparency / portability): Your backend can call the TryMellon API to obtain a privacy-safe report of what data we hold for a given user (e.g. GET /v1/privacy/user-data/:external_user_id). The report does not include raw PII beyond what you have provided; it is designed for disclosure to the data subject or for your own records.
  • User deletion (erasure): Your backend can call the user deletion endpoint (e.g. DELETE /v1/users/:external_id) with server-to-server authentication. TryMellon hard-deletes the user and related credentials, scrubs that user from audit logs where required, and invalidates all existing sessions for that user.

Exact endpoint paths, auth (Bearer vs Basic), and scoping are documented in the backend API docs for your environment and in the dashboard. Your backend must identify the user (e.g. by external_user_id) and call these endpoints; TryMellon does not store or process your users’ personal data beyond what is needed for auth and recovery, and supports your compliance workflow via these APIs.

  • Getting Started — SDK and app setup.
  • Backend validation — Validate session tokens on your backend.
  • Security — WebAuthn model and best practices.
  • Dashboard and plan-specific API documentation for webhook payloads, audit filters, and retention.